Kubernetes 1.6 出现RBAC问题解决方法。

最新推荐文章于 2024-08-15 18:59:41 发布

wenwst

最新推荐文章于 2024-08-15 18:59:41 发布

阅读量4.8k

点赞数

分类专栏： kubernetes docker

本文链接：https://blog.csdn.net/wenwst/article/details/72818664

版权

kubernetes 同时被 2 个专栏收录

34 篇文章 0 订阅

订阅专栏

docker

17 篇文章 0 订阅

订阅专栏

If you are using kubenetes 1.6.x you need to define RBAC rules for the controller to access the default-http-backend service and other required components.

I0531 02:36:29.882636       7 launch.go:101] &{NGINX 0.9.0-beta.7 git-c1b8a32 https://github.com/kubernetes/ingress}
I0531 02:36:29.882660       7 launch.go:104] Watching for ingress class: nginx
I0531 02:36:29.882815       7 launch.go:257] Creating API server client for https://10.254.0.1:443
F0531 02:36:29.914513       7 launch.go:118] no service with name kube-system/default-http-backend found: User "system:serviceaccount:kube-system:default" cannot get services in the namespace "kube-system". (get services default-http-backend)

解决方法：

apiVersion: v1
kind: Namespace
metadata:
  name: nginx-ingress
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount
  namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: nginx-ingress-clusterrole
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
        - events
    verbs:
        - create
        - patch
  - apiGroups:
      - "extensions"
    resources:
      - ingresses/status
    verbs:
      - update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: nginx-ingress-role
  namespace: nginx-ingress
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
      - create
      - update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: nginx-ingress-role-nisa-binding
  namespace: nginx-ingress
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: nginx-ingress
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: nginx-ingress-clusterrole-nisa-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
namespace: nginx-ingress

相同的问题

2017-06-15 03:05:29 +0000 [info]: adding match pattern="**" type="elasticsearch"
2017-06-15 03:05:29 +0000 [error]: config error file="/fluentd/etc/fluent.conf" error="Exception encountered fetching metadata from Kubernetes API endpoint: 403 Forbidden (User \"system:serviceaccount:kube-system:default\" cannot list pods at the cluster scope.)"
2017-06-15 03:05:29 +0000 [info]: process finished code=256
2017-06-15 03:05:29 +0000 [warn]: process died within 1 second. exit.
You have new mail in /var/spool/mail/root

解决方法：